A multinational corporation uses Palo Alto Networks NGFWs to secure user access to cloud-based productivity applications. Users authenticate via SAML using an external identity provider. Recently, the helpdesk has received multiple complaints that when users log in to the first application in the morning, they are prompted for SAML authentication. After authenticating successfully, if they navigate to a different application (e.g., from email to document editing) within the same browser tab, they are again prompted to re-authenticate, which disrupts their workflow. The firewall authentication logs show that each application access triggers a new SAML authentication request, even though the user’s session is still active. The administrator has verified that the SAML identity provider is properly configured, and the authentication profile on the firewall uses a unique identifier per user. The company wants to minimize re-authentication prompts while maintaining security. Which action should the administrator take?
Setting a session token lifetime allows the firewall to cache the SAML token and reuse it for subsequent authentications within the specified period, thus reducing redundant prompts.
Why this answer
The issue is that the firewall is not caching the SAML authentication token across different application requests. Configuring a session token lifetime in the authentication profile allows the firewall to reuse the same authentication token for subsequent requests within the defined time window, reducing re-authentication prompts. Option A (SLO) is used for ending sessions, not avoiding re-authentication.
Option B (reducing timeout) would increase prompts. Option D (removing enforcement) weakens security. Therefore, option C is correct.